Create Alerts

To create new alerts and modify existing alerts, the account used to connect to Netwrix Auditor Server via Netwrix Auditor client must be assigned the Global administrator or Global reviewer role in the product.

To set up a response action, this account must also be a member of the local Administrators group on Netwrix Auditor Server.

On the main Netwrix Auditor page, navigate to the Configuration section and click the Alerts tile.

NOTE: You can also create new alert directly from the interactive search results. Navigate to Tools and select Create alert to add a new alert with the same set of filters as your search.

In the All Alerts window, click Add. Configure the following:

Option

Description

General

Specify a name and enter the description for the new alert.

NOTE: Make sure that the Send alert when the action occurs option is enabled. Otherwise, the new alert will be disabled.

Apply tags—Create a set of tags to more efficiently identify and sort your alerts. Select Edit under Apply tags to associate tags with your alert. Later, you can quickly find an alert of interest using Filter by tags in the upper part of the All Alerts window.

Once you completed all filters, click Preview on the right pane to see search-based list of events that will trigger your alert.

Thresholds

If necessary, enable threshold to trigger the new alert. In this case, a single alert will be sent instead of many alerts. This can be helpful when Netwrix Auditor detects many activity records matching the filters you specified.

Slide the switch under the Send alert when the threshold is exceeded option and configure the following:

Limit alerting to activity records with the same...—Select a filter in the drop-down list (e.g., who). Note that, Netwrix Auditor will search for activity records with the same value in the filter you selected.

NOTE: Only alerts grouped by the Who parameter can be included in the Behavior Anomalies list. Mind that in this case, the product does not summarize risk scores and shows the value you associated with this alert. This may significantly reduce risk score accuracy.

Send alert for <...> activity records within <...> seconds—Select a number of changes that occurred in a given period (in seconds).

For example, you want to receive an alert on suspicious activity. You select "Action" in the Limit alerting to activity records with the same list and specify a number of actions to be considered an unexpected behavior: 1000 changes in 60 seconds. When the selected threshold exceeded, an alert will be delivered to the specified recipients: one for every 1000 removals in 60 seconds, one for every 1000 failed removals in 60 seconds. So you can easily discover what is going on in your IT infrastructure.

Associate a risk score with the alert—Assign a risk score based on the type of anomaly and the severity of the deviation from the normal behavior. An action's risk score is a numerical value from 1 (Low) to 100 (High) that designates the level of risk with 100 being the riskiest and 1 the least risky.

These are general guidelines you can adopt when setting a risk score:

High score—Assign to an action that requires your immediate response (e.g., adding account to a privileged group). Configure a non-threshold alert with email recipients.

Above medium score—Assign to a repetitive action occurring during a short period of time. While a standalone action is not suspicious, multiple actions merit your attention (e.g., mass deletions from a SharePoint site). Configure a threshold-based alert with email recipients.

Low score—Assign to an infrequent action. While a single action is safe, multiple occurrences aggregated over a long period of time may indicate a potential in-house bad actor (e.g., creation of potentially harmful files on a file share). Configure a non-threshold alert, email recipients are optional but make sure to regularly review the Behavior Anomalies dashboard.

Low score—Assign to a repetitive action that does not occur too often (e.g., rapid logons). Multiple occurrences of action sets may indicate a potential in-house bad actor or account compromise. Configure a threshold-based alert, email recipients are optional but make sure to regularly review the Behavior Anomalies dashboard.

Response Action

You can instruct Netwrix Auditor to perform a response action when the alert occurs — for example, start an executable file (command, batch file, or other) that will remediate the issue, or open a ticket with the help desk, and so on. For that, you will need an executable file stored locally on the Netwrix Auditor server. Slide the switch to turn the feature ON, then follow the steps described in Configure a Response Action for Alert section.